mi: reset the PointerWindows reference on screen switch (!1188) · Merge requests · xorg / xserver

Peter Hutterer requested to merge whot/xserver:wip/cve-2023-5380 into master Oct 25, 2023

PointerWindows[] keeps a reference to the last window our sprite entered - changes are usually handled by CheckMotion().

If we switch between screens via XWarpPointer our dev->spriteInfo->sprite->win is set to the new screen's root window. If there's another window at the cursor location CheckMotion() will trigger the right enter/leave events later. If there is not, it skips that process and we never trigger LeaveWindow() - PointerWindows[] for the device still refers to the previous window.

If that window is destroyed we have a dangling reference that will eventually cause a use-after-free bug when checking the window hierarchy later.

To trigger this, we require:

two protocol screens
XWarpPointer to the other screen's root window
XDestroyWindow before entering any other window

This is a niche bug so we hack around it by making sure we reset the PointerWindows[] entry so we cannot have a dangling pointer. This doesn't handle Enter/Leave events correctly but the previous code didn't either.

CVE-2023-5380, ZDI-CAN-21608

This vulnerability was discovered by: Sri working with Trend Micro Zero Day Initiative

mi: reset the PointerWindows reference on screen switch

Merge request reports